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(54) VERIFICATION TYPE SEARCH TREE 

(57)Abstract: 

PROBLEM TO BE SOLVED: To reduce wide calculation and 
communication cost by allowing each node value to apply an 
encryption hash function at least to slave node value and dynamic 
search value of the node and providing a root node which is 
authenticated with a search tree that comes into existence and 
digital signature. 

SOLUTION: A certification authority(CA) updates a search tree, 
calculates an authentication path induced by an updated node, 
performs digital signature authentication of a node that is subjected 
to root correction and sends a corrected parameter to a directory 1. 
The directory 1 verifies if recalculated root value matches with root 
value from the CA. A user inquires of the directory 1 about a 
certificate continuous number, the directory 1 calculates an induced 
authentication path and transmits it to the user and the user verifies 
the item. For instance, when the directory 1 asserts that the 
certificate has been, the user applies a hash function and checks 
from a leaf to a root. 
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•2- ■ >y y— 'J ti$v»T. fH5ISIiEff^f— -f- • 
>yy-*>\ 

y- h fc y - 7 sir L*»^>i ft<!> cud lt"$--*¥& 

t> ( I ) ^rV-FcOBf^b'v;/ Soffit, (IDhuIE^ 

im&n 2 } m&m i £a<w-*BSE#'y »j-(c*j 

mm? * r<r> t, or*) o . «rsai»*(t-*i«rttBW * . 
*i*igpy - h kbwow^ <— >r)v---}ifa<&mmz s 4, 

c b#9 3 ] fi&a i raa w— f-BiBB'y y - k*j 

fcfl.-9--^-!2liE» > yy-. 

[»*«4] M#*iEtt<w--?-BaeB , yy-fc*5 

wc, frfB-9--^- • *yy— «2-3'yy-T**i fc. 

£ =8® £ * ^-^fziff^y y - . 

[ 5 ] $k&n<r>T4 taw w ~> >y t a ^ 

( i ) m^um^mm^—^ • *y y-*«ttu 

( ii ) *HE*&*>il*3r< 1 1 T^cOfglES: . 
fl^& < t i> 1 ocor-f -r^, kATEA— h J: 9f&e£ 

[if *JS6 ] ^rtco^-S: < t h l o<or-f f- a *B 
w.B?-r ■ 'yy-K&vvrs^f 

( i ) B*#lSE*toBiiBBlJ--?- ■ V'J-fcltfcU 

(ii) • VV-ZWffi-t&Zbl.zX. OSfrL 

ty-K»#u 

(iii) tiiie^ft^y-Hfcj: vmrnzntzmw** 

(iv) ^Sf<fc 4>Hute<7)^— MEELfcy-Kfc'fW 
[ffi#«7] B*JH5BK<^ffifc:45V^Ts CA. -f 

i) 14. 



?hyfc*«u 

( b ) ifriBT -f h y t(nBii«5r< fc t i o*>r-f 

xA(c«fc»)^$^JtBufBf2SE^-x (Jfifc) Mt«:L£ 

( c ) luiBi- if^Bul2T>f rASr^SE^S £ fc .it 
[ 8 ] m$T% 6 Btt«>5*ttfc*i V . CA, r 

( i ) ttse*-*- 'yy-tHafrtiifctJ:"), saff 

( ii ) SofBMft Lfc y - H C J: 0 Hl&iitukW&iX * 
(iii ) thffise.cOJl'-bmiELtlS-F&'r'J 

(iv> «iEi,fc^9^-^*tMB7*-*i^^byfcaffr 

( i ) tfrte«iE^9^-^S:affl-r^^i:^J:0!2iIL 
Jtx^l^^hy • ^-htt?r»?#L, 

(ii) ttrfB^SEL^C A;U-b{I^iriefgiiELfe-r-f U 

7hy«t- gcL^^-r^^t. zmn-thzt. 

[|**JS9] M*«6f£a^aC;*3V>T. CA V 
— ^^S^tJV^TJi, 

( i ) HfrtB-?--^ - > yy-Sr^f^^.<Ii:tcJ;Olg0fL 
( i i ) MEJSiW y - H K J: >5 l^^itJt fgffi^'x 

(iii ) ^< t ivmsZW-hmELtlS-VZ^iS 

WSB3-— • 9">\ 

(iii ) mimmztitiyyyv-z*.— ^wse^'x 

( iv ) mitEiSfiESft*: C A^- h MWfftffiBiESfife^. 
[0001] 

[^<7)«-r-&trffi^»] **M9Mt. BSEBW^)feftcO 
[0 0 02] 

it-^ >77Xh7?ft ( Publ ic Key Infrastructure 

(pki) > •• izmi&mm?)fmzmLT9mziih. 
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mwfci*. -mrnmmm (bhbrn ( c a : certific 

ation authority) TfoiX. Zil<D-&$m?>MjE£it 

iff. »TB, 3SK#*, *JJ:t/tti:««x>"r4'r-f 

[00033 IBS*tf%ff 1= „ *?>W2&tt<4. 

)iTBfc«tr>TfBII$3*i-tu&. L*»U E"W**«0 
SIT a o m $ **tfi«f«r vRffltfcjfc h < «i 

^^it*^* 1 . 

[0 0 04 3 JCffleo-ft«W5rtW«i. ^I/^W-H 
fg£&->fck#&£#*->7tk#, &4nti-t«ax~ f<n 

[0 0 0 53 

(Certificate Revocation List (CRL) ) 

JK 0 iff $ JifcaEMteT * ti h V>mm^z X K> 
Lfc ^'J^Mt (-£c7)#rL££^-fk 

14, tz k £S3tt*$r < T t> , 3©«W^ 4 W MJ fci* 
or. #rU^CRLTii^<£v^CRL<9®;ft«';:7V 

[0 0 063 x-r WM>I4. !HAte*«-*lil*k t 

• - <D#fcco±fc -l-coSVix * W Ml -jl 

[00073 tEW»*cSt LTtt. £a«2tfir»ffitnTW 

W»frf6<0fciK»£«aW-4. jfT«JISJ#i^k . C 
RLj&*fi<5Sr4i a«n*Mfet«=CRL* 
SOBlt££iS< LTL-io. W77yJK Kaufman 
etaL (15, Section 7.7.3]) (4, CRL#&.g>|®#£ 
mz-tz b £ fctt»(c£T 4>IE»J»*H»rTTa £ fc «t 



"*-6fc*Tt>Sttfl!UfrH. ). CK0CRLI4. -mi 

BWfcfflfcfr ttz b # . c R LOSS 1 *2MEHBft7 ^ - 
A-K fcSSW* i k X *) . IS 1 <tfP!?Wf LfcSHW*) 

[0 0 0 83 IP-ASHX 9 ?W L yX f A 
= /?H (Micali (18)) (4. CRLfflftnx h£&«-T 
KIBWROfflfLy^-rA (CRS) fcltlgLT 

LT , Ztttom VmZtifzfrb' o 4>C-?HTa 
*UT*75-f V/^-y^-f (ll)*flffl 
•T4 Z b lz X 9 £ft6*S*JfflW«fc389rr6 h 5: 

[00093 WJWfcff CAIi s #6PB»fc*f 

20^S-^(Y 36 5 . N)&(WfW, ;*l^.tt. ' fig 
tttt ' ^liEBJ*^- ^ b&lzm&~t& . «fiHWHc» L- 
T14, CA{4. 2OO#^l 0 , Y 0 5r (JIM) 9>r^.»C 
SIV, *LT (-*r6]ttWmf^ffioT) V 365 =f365 ( Y 

0 > tiitjf n = f (N,)tfwi-*. (santii, ftps 

-rsio^^s^^t-r-s. #ui.j4'f(4-etfoRa 

^'-^ttTfc-g,, -r^r*>*>. y = f *<x>**$.£fc*U5: 

[0 0 1 03 T-Vl^h'ja. «-iiEHHStc^L-C 

1 . *HR 9 ffi L<0BBB»fc« LT. CAIi, fcoi^eo 
rr^-i/H^ c = Y 3B6 .i =f 

s"- 1 (y 0 > tgj&jwcu inttjv^T. i(4«at»^- 

-r&^^^^T'* 1 ?. ^fi 1 B^*5V^(4i = 0T'J)S„ 

2. KOfflLfciKH«(=StLTti> C = N 0 Tfc&. Lfc 

»x{4BX 9 fflfS-h-fc * l> v HiU? 9 MS tifc t <0TJ4«t 

[00113- C RLtftS C RS^telJ, fOS9 
^ilfl^XbCS)^. aUPK I (Public Key Infrast 
ructure) IHlfcgo'^ (Micali (18)) (4, C 

RSOfe0c9lS8T{4. CRL^)M*J:9J4J: l 9ffiffl*^ 

k*^Ufc. CRL(^t-C3ifl3Xh^T'9 

[0 0 1 23 CRS<OJjiJ<05F!!^il4, *3— feoSE 

"CSS. fcV^ikT-264. J--if*^Oi3^r|iEM2r 
L-C L*»t>(ft 4>OlEBB» k *fc:«S-r ft k # £ 
(4. f-fWh'J • T^-bX$:*B&-rft„ 
• Z cr, i/X-r Aco±^ I. X&it , CA-r-fU^h'J 

fgcoafi k pi tat-* o t . -r u ^ m> <?y&wfic a 
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flnxH^r-f \/?hVmmis- h(cJtW*-fcfc*>. C 
A— r-fU^h'J^tfOiiflaxMi. t 1 f 1^? HJ <DM 

COO 1 3] H!?i»^gffi3*iTVvfrfr.,;fcfc^5£ 
k£&H^Sdkc7>*I$S£ti, jeWi^-hfcrfcJtW-t- 

f* 365 x 24 = 876013^ L*rttltt*4r*\ i*U± 
*fiE£*i ft S 7 r i? * t % S . 

[0014] wvmxMmLvv- 

zi-ii- (Kocher (16]) HU SP!B«*«»"3»TltF*lTV^ 
fci k ^fflv 4W£E9§BaMiE*a«ft & - k # 

v-j. • X~h~>X. -?-00';-7* J CA^%ffr-&iiE 
iSL^toT-^i.. z^^—h^yhm^a. #CA 
•xtEOlW:*^ (*&VMi-€-eo«JB*«CRT« 

#X1<; X2£m.*)ffiLtit%'&. ZtltzZ.y—bJO'hCOfo 
COO 1 5] CA„ = CAiti&V X, < X <; X 2 cO*§-£\ X 

it-32«/\7^ • yy-[i7jt«as-*-s. 

[0016] E?Ji*ttJI»=Nr*£H!!ML Ayj/ a ■ *y 
U-fcrfcltSA—r- (root) ;N\X_L«D#y— Kfc: 

■ CRLlC^CRTcO^^IJjSti. CRL^«S3d<* 

[0017] giffl Lfe«5Rtft»«oyx r- 
*ffl^l i F4.309,569 (JiTFV-?,^ (Merkle) JRffrkPf 
.» 
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[0018] mam, 

[0019] MPJitiffl (Certification Authority (C 
A)) - WM^tSitt^ (trusted party) Tfc o 

[0020] CAIi. S-TL^^mX-it^i)^ tf & L 

(Mzmfrn. ixTtzTfrtxitz* h&mm&miz&\^ 
[0021] caij, mmwmz. mmemm 

&m&)T-f kmTBb*-*trX ■yfe-i^:J: l 5« 

W^WjBTBtfcK'JStt fc!^*4. SUB* 
*U2LL <M*.«, O&W*, ^I^^' y h*-H 
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[00 22] ft U7hV (Directory) - flffliO 
Wj:\n&L±.<r>%X'$>~>X , CA3b^KDr$^liEB3 

[Q0 23] J--f (User) - fSScOfctt&V v^T' 

s>^t, cA*^-?-oiiEBj»$:stt, zLxmrnmrnw. 
(i) i&<7)^-v'v>Mwm^mz<?>m&z'frmA. a 

[0024] nf— f- • -y y — (Search tree) - ^ 
& X'<n V y -ftco-tf-f- • ft fltoRT £ £ J: o l~ 

^IfcJROfiB ("f^*>. T^A£>yy-a^fiiJ|&L 
9 & & v ^±^-ixt3ieAll L*: 9 -T & ) J: -3 

•9"— f- • y;— tf>#lli, 2-3 tree, Btree, Btree+, Tri 
S, treaps^T'fcS. 

[0025] gfgfro^l (Update Transactions) - 

*i*:*T4 s- «y y — (cff a t . *y y -rtcoBt£<or 

[0026] IgiE'y y — (Authentication Tree) - 

)U-hii>^*yv-X"$>^>x. &fi&J-vi>K *co 
TmnnzBttit^-y'/x.mmzx^xtmL. zlx 

mmzm^ztix^z. 

[0 0 27] Bg^Hfc/vy i/x.fflWt (Cryptographic hash 

function) - .lillifclTSr-i-tf, 
(i) Sf^-f Vh^^^lTVHSISt (collision intractabl 
e function) hOT'^-sr, h(x)= h(y)£}g*:-#- y*=x£ 

n.~>i?&cr)tfim±*Kmzmf^jmx'$>& x?*i> 

^mzWmZKX^h . £fcf±. (ii) ^l^n' 

fchO£»L,Tfc, h(x)= h<y>*»fcf y*x££-?tf& 
W* { ff^±*«fl<J^^ff^figT-J)i»t>^ (<l) is £Zf 

(mizmf&zeommtcmmz'o^xit. tsi £# 

[0028] 



?M ^A*BSE**««*a«*l«IW-* C: b lz J: 9 , 

nvm<frbzwmMmzwm-f&'mm { $>z. 
[0029] *«yni. ^cdissev y Mtflc 2 - 

3 V 'J - £ it JiBtreecD «t 3 SrffiSfccW-f- ■ V V -<F> 

(^^i4Si@t<or^-rA) oisfiE^-sr^c-r*-*. <r 
nn&mtzMzj&w^-? zmm-z<mzTBi o i& 
<. : Sf3fcat#ifcj;^i2iE > yy-£0fijfflii, -acoixoffi 

SiWiT-f 5\&**v*(4 (flfi<0Jft^(ctt) ^SrT-ff- 

j**mmx'£&£?iz-t&. 

[0030] I2iE>y y-. mx.il ^-^USSffcHBSS 

LT. (JaTfcWS'ti.kate) i yy-+o*»*>y- 
[0031] fgjEy- r-*^ffl^«rO^:^tJ!Sre^ft« 

^-^'-'N-y H*WS*v*. 5«IW)S 

^■-^'-^ va. mmmommv y is* 

[0032] *^9>1tc Jrixtf , ^JfccofgfiE'y y-*, qflE 
#cd-9--^- • «yy-fc "fiS" t (fSSE-tf-f- ■ *y y- 

w.vv-<nw£m\s±. -y-f- • -yy-^iis^jrS'y 
y - ■ y- Kta§*i4«n»$iifcSE3it . <ow**>^ 

[0033] Ltz&~>x. *&m&. msn<?>T4 t-a 

a#ffl-rsi2iiEj^»f-^ ■ «y y-*i?t»^^ y 

L^o^n^^wjstT-^-^&s-^-t/i-^— f- • >y 
y-T-*>-5T. luiey- h**^ -^s -/^ • -^-f-ffl^ 

mney-7#iiflf3lt3-<D7M fA^ft, mflBV 

ef^-fb^^^iW^cffla. 'J?%<bh ( i ) =f-;-Y<n 
Bt^-ffcyvyi^ffii:,. (id Btriay-K^BuiB^-^-5 

m&iz± mmtfzmmmm--^ ■ v y-co^< 

ki,;u-b -y-Kt. Sffli*. ?<^i;. #3KHii, 
*-^rtcor xAcoy y^c— v- -y ?t(±^M 

•y7»^|g|iE-r^»*}£^ffi«L. ( i ) «J6L 

feWH^iB^-^ • 'y 'J - *«« L . ( i i ) milE^ 
^•0^< i: 1 10(7)T-f-rAcol2iiEJ:. k t 
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■ >yy-t=fcvvts8rri>:fr&£i£«U f£fr*6 
**. <i)ft£Lfcfl»ABiE^-f--yy-*Jt« 
U (il)«gW-^- , V'J-3Sr58lr#-&ifcfc:J:0, 
JBKLfcy-F*»»U (lli)1«ES8»fLfcy-K 
tct OWBSfutBHf ^^fMUL. ( iv> *Wt< k 

[0034] aaW^S ±fB?)*£5gL*:JlI# 

it. Rm^mmizti^^x^xcDXr-vr^^mizis^ 

UfctfoT. tflUlfX^ yT <ii) feilf (iii) 
it. *R«te*JV^"TSWfL, fLW^T (iv) lift 

it. mniz. tttzWS&ttJj&tstVisAr-Atnitoto 

[003 5] *l&B3i±, S &tc, «fiS|ifirte35tftl^fcB 

[00 36] 

[0037] aria i . £*ui. m 

[ 0 0 3 8 ] MU£ . -K 8 mo»?L' 
yvhA-H«iEWJ^h (CL) {=*tLTtfS&T* 

WLX<DffiK5G\lzi5\,\X. &CD7U : Jv htr- FY 5 eote 

*>BSE*yy- (*-$ri?fc, ^rSWr^^vh^-KY,- 
Y 8 fc*M-*BS*y **«^"*-r , -f b 'J*7H 

Y 5 #£ coy y -rt tm*»fc5WtT V ^ jCpfcov^TttBft 

[00 3 9] ffi^^h7?^7VUWiS:h()«:. ^1/^ 
•y h^?-K#^ Mx-immizLKrf-yXsZfeLtzTJ 
fA(^^7h*-H) Y, -Y 8 fcBSEf SfcAfcffffl 
Tt>. Ltztf^X. \Zim-thizit. f^^b'J* 1 

WAtitU *yy-ou— HtotfYe. h<6.6, 

Y), H(7.8.Y)feJ:lffl(l,4.Y)S>i8«^-&ikT+ii , r* 
f>. fcrtfU HIH<1.8.Y)#. =rit9)Vm*& 

fer>x. *omrBE3*vo\fcfc«^*-&. t*>^> 
x~ itsa^-y y -« t> iMfi-r * i k tfx- § s jsitw 
WM^mh i. o c. fiinwy y-«*iffl£*-*£ t« 

[0040] Lft^t, Y 6 tBiE-tftfc:<4. Mk (Iff 



*r*WC) H(5,5,Y>. *LTH(5.5,Y)i:WtfcH(6.6.Y) 
tlZg^X. ffiAit. H<5.6.Y)£fttW"*. ^tOfjfcg 
Ut. »*fcH<7.8.Y>fc^bS-jTH(5.8,Y)*£fc*. - 
WtfcH(l,4,Y)t^i>S5-3TH(1.8 f Y>$^ 
Ztlit. PK I8**j£gft£-fr ^Mffln 

H(1.8.Y)||fcifc«U ZLX-m.Ltzn&lzit, tMt 
AY 5 |i£ CD^f2&? IsiS-vhX-YVAYlzmiX^&Z 

[0041 ] fc-fe^/i^BB'yu-^Wjfttt, <^ 

fr'-Hxfcti^b^ ^McOT-f -r^Y 6 SrlSSE-TS £ k 

xnti. 

[00421 EH cot2E>y y — «o±»*^os[ii. mtif 

Wats:? U is -v h Xf- V Sr C A iz& ft |> »J X h tciljtrf 
^C0!2ffi-y y-fcflKEBSI $rSft§ii:-l» k * 
. Y4 <; Y4' <; \5k%h%iiZti:T4 T-AY4'£j! 
SD^-Sk-^S. i^ttflKOBBEyy- (H^-fr-f) 
Z<D>y y —n<r>J — Y<7>ilb&Z\,z-o\iX<DtiM%:^. 

m. &mzmmm&0)igijg.<7)i£m*-j*-^-v vz>sim 
b-thzttt*). zixit. H8fejw=aau<«:<. c 

[0043] *a&fcLfc*fcti»9MLfc7"4-rA (M 
fflf L 'J x N (CRL) k # (c»± , ±EOf«S 

[0044] mz. *SKB<^) 1 SaBKIMc J: 

[0045] .riucWjILT. &MZtifz^ztiz. * 

>yy-. yn7^ (*v^r-f fAoi^) - 
cose^JS s Buy y - fcst t t t R»t*^cfc . 

[0046] Ltitfi X . ZWM0£ttiimiiZ* 0 . 
2 - 3 >y y -{4 . #JBTOJR 0 M L*:!PJ»*05!^#-i§- 

(c l-c7> (c»JC-r*y-7S:«iTtlHM-S. 
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FIELD OF THE INVENTION 

The present invention is in the general field of digital signature 
for authentication purposes, 

5 BACKGROUND OF THE INVENTION 

The wide use of public. key cryptography requires the ability to 
verify the authenticity of public keys. This is achieved through the vise of 
certificates (that serve as a mean for transferring trust) in a Public Key 
Infrastructore (PKI). A certificate is a message signed by a publicly, trusted 
10 authority (the certification authority, whose public key authenticity may be 
provided by other means)- which includes a public key and additional data, such 
as expiration date, serial number and information regarding the key and the 
subject entity. 

When a certificate is issued, its validity is limited by an expiration 
15 date. However, there are circumstances (such as when a private key is revealed, 
or when a key holder changes affiliation or position) where a certificate must be 
revoked prior to its expiration date. Thus, the existence of a certificate is a 
necessary but not sufficient evidence for its validity, and a mechanism for 
dctennining whether a certificate was revoked is needed. 
20 A typical application is a credit card system where the credit 

company may revoke a credit card, temporarily or permanently, prior to its 
eviration, e.g. when a card is reported stolen or according to its user's bank 
account balance. 
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PRIOR ART DISCUSSION: 
CertilicateRevocation list fCRLI 

A CRL is a signed list issued by the CA identifying all revoked 
certificates by their serial numbers. The list is concatenated with a time stamp 
(as an indication of its freshness) and signed by the CA that originally issued 
the certificates. Tie CRLs are sent to the directory on a periodic basis, even if 
there are no changes, to prevent the malicious rerplay of old CRLs instead of 
new CRLs, 

As an answer to a query, the directory supplies the most updated 
CRL (the complete CRL is sent to the merchant). 

• The main advantage of the scheme is its simplicity. 

• The main disadvantage of the scheme is its high directory-to-user 
communication costs (since CRLs may get very long). Another 
disadvantage is that a user may not hold a succinct proof for the 
validity of his certificate. 

A reasonable validity expiration period should be chosen for 
certificates- If the expiration period is short, resources are wasted reissuing 
certificates. If the expiration period is long, the CRL may get long, causing high 
communication costs and difficulties in CRL management. Kaufinan et al [15, 
Section 7.73] suggested reissuing all certificates whenever the CRL grows 
beyond some limit. In their proposal, certificates are marked by a serial number 
instead of an expiration date. (Serial numbers are incremented for each issued 
certificate. Serial numbers axe not reused even when all certificates are 
reissued) The CRL contains a field indicating the first valid certificate. When 
all certificates arc reissued, the CRL first valid certificate field is updated to 
contain the serial number of the first reissued certificate. 
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Certificate Revocation Sy stem 

Micali [18) suggested the Certificate Revocation system (CRS) in 
order to improve the CRL communication costs. The underlying idea is to sign 
5 a message for every certificate stating whether it was revoked or not, and to use 
an off-line/on-linc signature scheme [11] to reduce the cost of periodically 
updating these signatures. 

To create a certificate, the CA associates with each certificate two 
numbers (Y^ and N) that are signed along with die traditional' certificate data. 
10 For each certificate, the CA chooses (pseudo) randomly two numbers N 0 Ya and 
computes (using a one-way function/) Yus ^Z 365 (7<D and N =f{N 0 \ (Actually, 
a stronger assumption on/is required, e.g. that/is one-way on its iterates, i.e. 
that given y = f J (x) it is infeasible to find jf such that y = f^x*). This is 
automatically guaranteed if /is a one-way permutation.) 
15 The directory is updated daily by the CA sending it a number C 

for each certificate as follows; 

. ' 1 . For a non-revoked certificate, the CA reveals one application of/ 
Le. C — Ijdw =f 36 ^' { (Y 0 ) 9 where x is a daily incremented counter, 
20 i = 0 on the date of issue. 

2. ' For a revoked certificate, C = N a 

Thus the most updated value for C serves as a short proof (that 
25 certificate x was or was not revoked) that the directory may present in reply to 
a user query 

• The advantage of CRS over CRL is in its query communication costs. 
Based on Federal PKI (Public Key Infrastructure) estimates, Micali [18] 
showed that although the daily update of the CRS is more expensive 
30 than a CRL update, the cost of CRS querying is much lower. He 
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estimated the resulting in 900 fold improvement in total communication 
costs over CRLs. 



Another advantage of CRS is that each user may hold a succinct 
5 transferable proof of the validity of his certificate. Directory accesses are saved 
when users" hold such proofs and presents them along with their certificates. 

• The main disadvantage of this system is the increase in the 
CA-to-directory communication (it is of toe same magnitude as 
10 directory-to-xisers communication, where the existence of a directory is 

supposed to decrease the CA's communication). Moreover, since the 
CA's communication costs are proportional to the directory update rate, 
CA-to-directory communication costs limit the directory update rate. 

15 The complexity of verifying that a certificate was not revoked is 

also proportional to the update rale. For example, fee an update once an hour, a 
user may have to apply the function,/ 365 x 24 = 8760 times in order to verify 
that a certificate was not revoked, making it the dominant factor in verification. 

20 Certificate Revocation Trees 

Kocher [16] suggested the use of Certificate Revocation Trees 
(CRT) referred to also as authentication tree, in order to enable the verifier of a 
certificate to get a short proof that the certificate was not revoked, A CRT is a 
hash tree with leaves corresponding to a set of statements about certificate 

25 serial number X issued by a CA, CAjc The set of statements is produced from 
the set of revoked certificates of every CA* It provides the information whether 
a certificate X is revoked or not (or whether its status is unknown to the CRT 
issuer). There are two types of statements: specifying ranges of unknown CAs, 
and, specifying certificates range of which only the lower certificate is 
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revoked. For instance, if CA X revoked two certificates^; <X2, than one of the 
statements is: 

ifCA x - CAi andX/ <X<X 2 then X is revoked tfX^v 
To produce the CRT, the CRT issuer builds a binary hash tree 

[1 7] with leaves corresponding to the above statements 

A proof for a certificate status is a path in the hash tree, from the 

root to the appropriate leaf (statement) specifying for each node on the path the 

values of its children. 

> The main advantages of CRT over CRL are that the entire CRL is not 
needed for verifying a specific certificate and that a user may hold a 
succinct proof of the validity of his certificate. 

• The main disadvantage of CRT is in the computational work needed to 
update the CRT. Any change in the set of revoked certificates may result 
in re-computation of the entire CRT. 
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GLOSSARY 

There follows glossary of terms some of which conventional and 
others have been coined: 

5 Certification Authority (CA) - A trusted parly, already having a certified 
public key, responsible for establishing and vouching for the authenticity of 
public keys and/or other information such as credit card numbers. 

A CA preferably, but not necessarily, does not provide on-line 
certificate information services to users. Instead, it updates a directory on a 
10 periodic basis). As will be shown below in some embodiments directories. are 
not used* 

A CA issues certificates for users by a message containing the 
certificate serial number relevant data and an expiration date. The certificate is 

15 sent to a directory and/or given to the user. The CA may revoke a certificate 
prior to its expiration date. Certificate is by no means hound to the latter 
definition and may encompass data pertain to e.g. one or more (such as range 
of) public key(s), credit card numbers), and others; presented either in explicit 
form or after having been subject to a function such as encoding or encryption. 

20 (the term item and certificate are used in the specification interchangeably) 

Directory - : One or more non-trusted parties that get updated certificate 
revocation information from the CA and serve as a. certificate database 
accessible by the users. 

25 

User - A non-trusted party that receives its certificate from the CA and issues 
queries for certificate information. User should be construed as encompassing 
among others: 

(i) a merchant who queries the validity of other users' certificates, 
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(ii) a user who gets proof of Hie validity of his/her certificate for using it 
vis-a-vis other users. 

Search tree - A well known data structure that is associated with search 
5 scheme "which enables to construct a search path, in the tree, from the root to a 
sought item (associated with a leaf). The search path exploits search values 
that reside in the tree nodes and possibly also in the links. Search tree is 
inherently designed to handle update transactions (i.e. delete and/or insert items 
to the tree). Typical, yet not exclusive, examples of search trees being: 2-3 tree, 
10 Btree > Btree+ 3 TriS, treaps and others. 

Update Transactions - Insert new item to a tree; delete existing item in a tree. 

Authentication Tree — a rooted tree where each internal node authenticates the 
15 values of its children by means of a cryptographic hash function and the root is 
authenticated by means of a digital signature: Typical, yet not exclusive, 
example is illustrated in the Merkle patent 

Cryptographic hash function- includes: 

i 

20 (i) collision intractable function b0 such that it is computationally 
. essentially infeasible to find y^x satisfying h(x)= h(y). Typical, yet not 
exclusive example is illustrated in the Merkle patent; or 
(ii) universal one way hash Junction h() such that there exists a family of 
functions h0 such that for every x and random h0 from the family, it is 
25 computationally essentially infeasible to find y*x satisfying h(x)= h(y). 

. (for detailed discussion in (I) and (E) 3 see [6]). 
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SUMMARY OF THE D>TVEavriION 

There is, accordingly, a need in the art for eliminating or 
substantially reducing the drawbacks associated -with hitherto known 
techniques by providing a novel technique for authenticating items. 

The present invention incorporates the utilization of conventional 
authentication trees as well as conventional search trees such as 2-3 tree, or 
Btree, The utilization of search trees enables to authenticate an item (or items) 
whilst obviating the need to transmit a large amount -of data to this end. The 
utilization of the authentication tree, according to the prior art, enables to 
transmit a series of revoked, (or otherwise) valid items . 

The major drawback of using an authentication tree, e*g* of the 
kind disclosed in the Merkle patent, arises when the latter is subject to 
modification transactions. The latter bring about new arrangement of items in 
the leaves and, consequently, (as will be exemplified below), necessitates the 
modification of the values of multitude nodes (hereinafter modified nodes) in 
the tree. 

Not . only is an extensive computation required in order to update 
the values of the modified nodes, but also by utilizing an authentication high 
communication overhead is imposed when the multitude values of said 
modified nodes are transmitted over the communication network, e.g. from the 
CA to the directory. Considering that such modification may occur quiet 
frequently, the specified overhead renders the use of prior ait authentication 
trees commercially infeasible. 

According to the invention, a conventional authentication tree is 
"superimposed" on conventional search tree (bringing about authentication 
search tree) benefiting thus both from the inherent advantages of the 
authentication tree insofar as authenticating items is concerned and from the 
limited changes that are imposed on the tree nodes due to the search tree 
structure. 
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Accordingly, the present invention provides for a memory 
containing an authenticated search tree that serves for authenticating 
membership or non membership of items in a set; the authenticated search tree, 
comprising; 

a search tree having nodes and leaves and having associated therewith a 
search scheme; the nodes including dynamic search values and the leaves 
including items of said set; the nodes are associated, each, with a cryptographic 
hash function value that is produced by applying a cryptographic hash function 
to at least: (T) the cryptographic hash values of the children nodes and (II) the 
dynamic search value of said node; 

at least the root node of said authenticated search tree is authenticated 
by a digital signature. 

StDl further the invention provides for a method for authenticating 
membership or non membership of items in a set; comprising: 

(i) providing an authenticated search tree of the kind specified; 

(ii) authenticating at least one item of said set ,by computing the 
authentication path as induced by said at least one item and the root, 

. Still further the invention provides for a method for updating at least one 
item of a set in an authenticated search tree, comprising: 

(i) providing a search authenticated tree of the kind specified;; 

(ii) updating said search tree so as to obtain updated nodes; 

(iii) computing an authentication path as induced by said updated nodes; and 

(iv) authenticating at least said root modified node by a digital signature. 

It should be noted that the specified order does not necessarily 
imply that in iterative procedure all the steps are performed in each iteration. 
Thus for example the steps (ii) and (iii) may he performed in each iteration and 
step (iv) may be applied once at the last iteration. This, likewise, applies to the 
other aspects of method and system as described herein. 

The invention farther provides a system for 
authenticating/updating mutatis mutandis. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The invention will now be. described, by way of example 
only with reference to Hie accompanying drawings, in which: - 

Fig. 1 illustrates an authentication tree according to the prior art; 

Figs. 2A-B illustrate a search authenticated tree according to one 
embodiment of the invention; 

Fig. 3 illustrates a system configuration according to one embodiment of 
the invention; 

Fig. 4 illustrates a system configuration according to another 

embodiment of the invention; and 
Fig. 5A-B illustrate a manner in which a search authenticated tree is 
updated according to the embodiment of Fig. 4. 

DESCRIPTION OF SPECIFIC EMBODIMENTS 

Attention is first directed to Fig. 1 illustrating an authentication 
tree according to the prior art e.g as disclosed in the specified Merkle patent, the 
contents of which are incorporated herein by reference. 

Consider, for example, that certificates Y\ to Y 8 stand for a 
certificate list (CL) of all valid credit cards. Now, a user wants to use his credit 
card Y 3 in a commercial transaction vis-a-vis a merchant. The merchant 
addresses a directory that holds the authentication tree (Le. authentication tree 
in respect of valid credit cards Yi to Y 8 ) of the kind disclosed in Fig. 1. It is 
recalled that the directory is an un-trusted party and therefore the merchant 
wants to verify that Y 5 indeed appears in the tree. 
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The collision intractable function h() serves for authenticating 
item(s) (credit cards) Y } to Y 8 sorted according to credit card number, e.g. in 
ascending order. Thus, in order to authenticate Y 5w it is sufficient for the 
directory to transmit to the merchant tree leaf and node values Y 5 , H(6,6,Y), 
H(7,8,Y) and H(1,4,Y), assuming that the root value H(1,8,Y) was previously 
authenticated, e.g. using a digital signature. Of course, additional tree values 
may be transmitted but as will be appreciated from the description below 
transmitting additional tree values is absolutely redundant. 

Thus, in order to authenticate Y 5 , the merchant (knowing a priori 
HO) calculates the authentication path, namely, H(5,5,Y) (on the basis of Y 5 ) 
and on the basis of H(5,5,Y) and the so received H(6,6,Y% the merchant 
calculates H(5,6,Y). The latter, along with so received 11(7,8, Y) give rise to 
H(5,8,Y). The latter along with the so received H(1,4,Y) give rise to H(1,8,Y) 
which is. subject to PKI technique (e.g. applying the public key n), and the result 
is compared to the previously authenticated H(1,8 7 Y) value and in the case of 
match, it is assured that the item Y 5 belongs to the list of valid credit cards* 

The advantage of the authentication tree is, of course, that only 
few tree node values were transmitted to the user which could nevertheless 
authenticate the item Y 5 of interest As will be explained in below, the 
specified description for authenticating items in respect of prior art 
authentication tree applies also to the search authenticated tree of the invention. 

The major drawback of the authentication tree of Fig. 1 arises 
when the latter is subject to modify transaction, e,g. when new credit card is 
added to the list at the CA. Suppose that new item Y 4 - such that Y 4 < Y 4 * < Y$ 
is added,. The resulting authentication tree (not shown) will necessitate 
extensive update of most of the nodes in the tree and undue transmission 
overhead of the updated information, which is obviously undesired, particularly 
when bearing in mind that the rate of updating the CA with new items is as a 
rule quiet high. 
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The advantages and disadvantages equally apply when 
considering a certificate revocation list (CRL) which holds the invalidated or 
revoced items (e.g. invalid credit cards 

Considering now an exemplary search authenticated tree 
according to one embodiment of the invention utilizing e.g. a 2-3 search tree 
with a CRL (e.g. a list of revoked credit cards held at the leaves, See Fig. 
2A-B.) 

In this connection it should be noted that the invention is, by no 
means, bound to the actual realization of the search tree and any known 
technique that is utilized to this end is applicable, all as required and appropriate 
depending upon the particular application. Thus, by way of non limiting 
example, any mann er of holding the items in the leaves is applicable, e,g- as 
. records, link list, tree, of blocks (in the case of long item) etc. This statement is 
likewise valid to the authentication tree. 

Thus, by this particular embodiment, a 2-3 tree is maintained 
with leaves corresponding to the revoked certificates* serial numbers (cl-c7) in 
increasing order. (In a 2-3 tree every interior node has two or three children 
and the paths from root to leaves have the same length). Testing membership 
and modifying, i.e. inserting, deleting or updating a single element are done in 
logarithmic time, where the modification affects only the nodes on the 
modification path. For a detailed presentation of 2-3 trees see [1, pp.169-180].) 
The property of 2-3 trees is that test and modification involve only changes to 
nodes on a search path, i.e. every change is local and the number of affected 
paths is small. 

The tree may be created either by inserting the serial numbers of 
the revoked certificates one by one into an initially empty 2-3 tree, or, by 
sorting the list of serial numbers and building a degree 2 tree with leaves 
corresponding to the serial numbers in the sorted list (because the 
communication complexity is minimal when the tree is of degree 2). 
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Every tree node is assigned a value according to the following 

procedure: 

• Each leaf stores a revoked certificate serial number as its value. 

• The value of an internal node is computed by applying the cryptographic 
^ hash function HO to the values of its children and to at least the dynamic 

search values of the internal node (which encompasses also link, 
whenever applicable). Whilst it is not obligatory, the cryptographic one 
way hash function HO may also be applied to information, other than 
the dynamic search values that arc associated with the node, e.g. 
information relevant for balancing the tree etc 

Unlike the collision intractable function, applying the universal 

one way hash function to the internal nodes in the maimer specified,. 

necessitates utilization of unique function for each node. For the latter case, it 

is required to authenticate in addition to the above referred to values of the 

children and the dynamic search values of the internal node, also the unique 

value of the function that is associated to the internal node. 

There follows now a description that pertains to modifying 

the search authenticated tree according to one embodiment of the 

invention. 

Thus, in order to delete an item, a conventional 2-3 delete item 
step is executed, namely: 

1. ' Delete each expired certificate serial number from the 2-3 tree, 

updating the values of the nodes on the deletion path. 
Likewise, in order to insert an item, a conventional 2-3 insert item step 
is executed, namely; 

2. Insert each newly, revoked certificate serial number into the tree, 
updating the values of the nodes on the insertion path. 

During tree update, some new nodes may be created or some 
nodes may be deleted due to the balancing of the 2-3 tree. These nodes occur 
only on the search path for an inserted/deleted node (hereinafter: modified 
node). 
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The certification authority authenticates the tree by authenticating 
the root and to this end, only the search path that is induced by the modified 
nodes should be computed. 

For a simpler implementation of thesearch authenticated tree, 
other trees, e.g. random treaps [2], miay be used instead of 2-3 trees. Treaps are 
binary trees whose nodes axe associated with (key, priority) pairs. The tree is a 
binary search tree with respect to node keys (i.e. for every node the keys in its 
left (resp. right) subtrees are small (resp. greater) than its key); and a heap with 
respect to node priorities (i.e. for every node its priority s higher than its 
descendents 5 priorities). Every finite set of (key, priority) pairs has a unique 
representation as a treap. La random treaps, priorities are drawn at random 
from a large enough ordered set (thus, they are assumed to be distinct). 

Seidel and Aragon [2] present simple algorithms for membership 
queries, insert and delete operations with expected time complexity logarithmic 
in the size of the set S stared in the treap. Random treaps may be easily 
converted into authenticated search data structures similarly to 2-3 trees. The 
communication costs of these schxnes is similar since the expected depth of a 
random treap is similar to'its 2-3 tree counterpart- 

► The main advantage of random treaps is that their implementation is 
much more simple than the implementation of 2-3 trees* 

1 A drawback of using random treaps is that their performance is not 
guaranteed in worst case, e.g. some users may (with low probability) get 
long authentication paths. 

* Another drawback is that a stronger assumption is needed with respect to 
the directory. The analysis of random treaps is based on the fact that the 
adversary does not know the exact representation of a treap. A dishonest 
directory with ability to change the status of certificates may increase the 
computational work and communication costs of the system. 
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The operation of a system of the invention Tvill be exemplified in 
one non-limiting sequence of operation which refers to an embodiment of the 
invention as depicted in Fig. 3. 

Generally speaking there is provided a method in a CA, directory, user scheme, 
5 mchiding : the steps of: 

(a) the user providing to a directory a list of at least one item for 
. authenticating membership or non membership of said at least one item in a set; 

(b) the directory computing and transmitting to a user the 
authentication path(s) as induced by said at least one item; the directory further 

10 transmitting said authenticated root; and 

(c) the user verifying said items. 
Still further there is provided a method in a CA directory user scheme 
comprising the steps of: 
. the CA executing: 
15 (i) updating said search tree so as to obtain updated nodes; 

(ii) computing an authentication path as induced by said updated nodes; and 

(iii) authenticating at least said root modified node by a digital signature; 

(iv) transmitting modified parameters to said directory; 
the directory executing: 

20 (i) applying said modification parameters, so as to obtain 

authenticated directory root value; 
(ii) verifying that the authenticated CA root value matched the authenticated 
directory value. 

A specific description of the general aspect above will now be 
25 described: 

CA Operations 

* Creating certificates: The CA produces a certificate by 
authenticating a message containing certificate data (e.g. user name 
and public key), certificate serial number and expiration date. 
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• Initialization: The CA creates the 2-3 tree, as above, for the set of 
initially revoked certificates. It computes and stores the values of all 
the tree nodes and sends to the directory the (sorted) list of revoked 
certificate serial numbers along with a signed message containing the 

- tree root value, the tree height and a time stamp, 

• Updating: The CA updates die tree by inserting/deleting certificates 
from it. After each insertion/ deletion, all induced nodes are updated 
and the authenticated path is calculated accordingly! To update the 
directory, the CA sends a modification parameters. The latter may be 
for* example the list of induced nodes, the list of die transactions. In 
fact modification parameter encompass any kind of information that 
enables the directory to update the tree at the directory end Of course, 
authenticating the root encompasses of course the new root value but 
may likewise include other authenticated information e.g. tree height 
and time stamp. 

Directory operations: 

• Initialization: Upon receiving the initial revoked certificates list, the 
directory computes by itself the whole 2-3 tree, checks the root value, 
tree height and time stamp, and verifies the CA's signature on these 
values. 

• Response to CA*s update: The directory updates the tree according 
to the modified parameters received from the CA. This results in 
recomputed path and authenticated directory root. Having done so it 
checks verifies the so obtained root value vis-a-vis the received 
authenticated root value as received from the CA in order to determine 
match, in which case the procedure terminates successfully. By this 
particular embodiment the root value, tree height and time stamp, all 
have to match (the time, of course, within reasonable interval). 
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• Response to user's queries: To answer a user query, the directory 
supplies the user with the authenticated root value, tree height and 
tune stamp. 

1. If the queried certificate is revoked, for each node in the path from the . 
5 root to the leaf corresponding to the queried certificate, the directory 

supplies the user its value and its children values. 

2. If the queried certificate is not revoked (not in the list), the directory 
supplies the user the paths to two neighbouring leaves l x> h such that the 
value of /i (resp. / 2 ) is smaller (reap, larger) than the queried serial 

10 number. 

Note that to reduce the communication costs, the directory need 
not send the node values on the path from root, but only those which are 
required for the user to compute the entire search path. The latter was 
exemplified in reference to Fig. 1 where, as recalled, only Y5, H(6,6,Y) ? 
15 H(7,8,Y) and H(1,4,Y) were required in order to authenticate the search path of 
Y5. 

User Operations: 

The user first verifies the CA's signature on the certificate and checks 
the certificate expiration date. Then, the user issues a query by sending the 
20 directory the certificate serial number s. Upon receiving the directory's answer 
to a query, the user verifies the CA's signature on the root value, tree height and 
time stamp, 

1. If the directory claims the queried certificate is revoked, the user checks 
the leaf to root path supplied by the directory by applying the hash 

25^. function h. 

2. If the directory claims the queried certificate is not revoked, the user 
checks the two paths supplied by the directory and checks that they lead 
to two adjacent leaves in the 2-3 tree, with values l u l z The user checks 
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that l x < s < h- As shown in Fig. 2B for. authenticating x'(ie- claiming 
that x does not belong to the revocation list) the search path that 
authenticate the adjacent members x! and x2 are transmitted, where xl < 
x<x2. 

5 In the above scheme, the communication costs of verifying that a 

certificate was not revoked may be twice the communication costs of verifying 
that a certificate is in the list. To overcome this, the tree may be built such that 
every node corresponds to two consecutive serial number thus having to send 
only one path in either case. Since the number of bits needed for holding the 

10 value of a tree node, Le, the hash function security parameter (I hash in- the 
notation below) is more than twice the bits needed for holding a certificate 
serial number, this does not influence the tree size. In this connection it is 
recalled that certificate or item embrace, amongst the other, range of values; 

Attention is now drawn to Fig, 4 illu strati ng a system 

15 configuration according to another embodiment of the invention- Thus, some 
protocols avoid the need for a revocation system by using short-term 
certificates, (e.g. micropayments protocols when a certificate owner may cause 
a limited damage [13]); These certificates are issued daily and expire at the end 
of the day of issue. Actually, even shorter periods are desired and the main limit 

20 is due to the increase in the certification authority computation (certificates for 
all users have to be computed daily) and communication (certificates should be 
sent to their owners) short-term certificates cause. 

An on-line/off-line digital signature scheme (like CRS) will 
reduce the computation the. CA has to perform, but, it will not reduce 

25 significantly the communication costs, since the CA has to send different 
messages to different users, making the CA a communication bottleneck. This 
calls for a solution where the CA performs, a simple computation (say, 
concerning only new users and users whose certificates are not renewed) and 
sends a common update message to all users. Using this message, exactly all 

30 users with non-revoked certificates should be able to prove the validity of their 
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certificates. To meet the latter embodiment, * a simple modification to the 
certificate revocation scheme is proposed to yield an efficient certificate update 
scheme in which the CA sends the same update message to all users. In this 
solution there is no assumption of the existence of a directory (See Fig. 4) with 
5 information about all certificates, but of local directories that may hold the 
latest messages that are sent by the directory. 

As before, the scheme is based on a tree of revoked certificates 
(or, otherwise, valid certificates) created by the certification authority presented 
above. Since there is no way to extract certificates from a directory, every user 

10 gets an initial certificate that may be updated using the CA's messages. 
Specifically, the CA augments every issued certificate with the path proving its 
validity, this is the only part of the certificate that is updated periodically. 

To update all certificates simultaneously, the CA updates its copy 
of the tree, and publishes the tree paths that where changed since the previous 

15 update (constituting one, non limiting form of induced sub-tree), (see Fig. 5A). 
Every user holding a non-revoked certificate intersects its self path with the 
induced tree preferably by locating the lowest node, v, on a path that coincides 
with the self path, and updates his path by copying the new node values from v 
up to the root) . AH users holding a revoked certificate can not update their path, 

20 unless they crack the one way characteristics of the function hi. As shown in 
Fig. SB the user bring into coincidence the self path with the induced sub tree 
and seeks for the lower most discrepancy node (desgnated by dot 100 in Fig, 
5A). What remains to be done is to update the nodes from the so detected node 
to the root and to authenticate the root and verify it vis-avis the authenticated 

25 root value transmitted from the CA. The latter procedure is obviously very cost 
effective in terms of the computation overhead that is posed on each user- 

Since the CA communication is reduced, one may use this update 
scheme for, say, updating certificates once every hour. This may cause some 
users to lag in updating their certificates, and the local directories should save 

30 several latest update messages (e*g. using conventional proxy servers), and 
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some aggregate updates (combining update messages of a day) enabling users 
thai lag several days to update their certificates. 

The latter specific description is defined more generally as 
follows, a method according to Claim 6, in a CA user scheme 
5 comprising: 
the CA executing: 

(i) updating said search tree so as to obtain updated nodes; 

(ii) computing an authentication path as induced by said updated nodes; and 

(iii) authenticating at least said root modified node by a digital signature; 
10 (iv) transmitting induced sub-tree to said user; 

the user executing: 

(i) intersecting said induced sub-tree with user self path and obtaining user 

authenticated root value; 
. (ii) verifying that the authenticated CA root value matched the authenticated 
15 user value. 

Those versed in the art will readily appreciate that -die realization 
of the embodiments of Figs. 3 and 4 are not bound to any specific hardware 
and/or software architecture. Thus, by way of non limiting example, the CA, 
directory and user may be interlinked by any available communication 
20 network, e.g. the Internet By way of another non limiting example each of the 
specified constituents may be implemented on e*g. conventional P.C. computer, 
mainframe computer or network of computers, all as required and appropriate, 
depending upon the particular application. 

25 Evaluation 

In the following, the communication costs of CRL, CRS and one, 
non limiting, embodiment of a system/method of the invention are compared. 
Basing on this analysis, there is shown that the proposed system is more robust 
to changes in parameters, and allows higher update rates than the other. 

30 
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Other advantages of the proposed scheme are. 

• The CA has to keep a smaller secret than in CRS. 

■ Since CA-to-directoiy communication is low, the CA may communicate 
with the directory using a slow communication line secured against 
5 ^ breaking into the CA's computer (the system security is based on the 

ability to protect the CA's secrets). 

In the case of a 2-3 tree, there is never a need to re-compute the entire 
tree to update it. This allows higher update rates than CRT. 
Another consequence of the low CA-to-directory communication is that 
a CA may update many directories, avoiding bottlenecks in the 
communication network. 

Commnnleatibn Costs 
15 The parameters we consider are: 

• n- Estimated total number of certificates (n = 3, 000, 000). 

• k- Estimated average number of certificates handled by a CA 
(£-30,000) 

• ,p - Estimated Suction of certificates that will be revoked prior to their 
20 expiration (p = 0.1). (It is assumed that certificates are issued for one 

year, thus, the number of certificates revoked daily is mpA~_ . 

365 

• q - Estimated number of certificate status queries issued per day 
(3 = 3,000,000). 

25 ♦ r- Number of updates per day (T = J). 

Is* - Number of bits needed to hold a certificate serial number (/,„ = 20), 

• Ism - Number of bits needed to hold the certificate revocation status 
' numbers Y S su and N 0 (l^ = 100). 



10 • 
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ljt s - Length of signature (/^ = 1,000). 

Ikash - Security parameter for the hash function (/^ = 128). 

Values for n,k,p,q, TJ^ l sUxt are taken from MIcali [18], and 1^ 
are specific to our scheme. 

CKL Costs 

• The CRL daily update cost is'.T.n.p--l m since each CA sends the. whole 
CKL to the directory in each update. An alternative update procedure 
where the CA sends to the directory only a difference list (which serial 
numbers to add/remove from the previous CRL) costs: 

365 

• The CRL daily query costs is qp.hl^ since for every query the directory 
sends the whole CRL to the querying user. 

CKL Cost 

• The CRS daily update tost is X.n,(7 w + W^since for every certificate the 
C A sends 1^ bits of certificate revocation status. 

• The CRS daily query cost is l aat .q. 

The proposed scheme 

To update the directory,, the CA sends the difference lists of total 
daily length of + TJ sig 

365 

• To answer a user's query, the directory sends up to 2 . log2 (p ' 

numbers, each bits long, totaling 2.g.4 flJ *.log2 (p ' k) bits. 
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The following table shows the estimated daily communications 
costs (in bits) according to the three schemes. 





CRL 


CRS 


Proposed 




Costs 


Costs 


Scheme 


Daily update 


6-10° 


3.6-10" 




(CA-directoryO 








Daily queries 


1.8-10" 


3-10" 


7-10* 


(Directory-users) 









5 As shown in the table, the proposed scheme costs are lower than 

CRL costs both in CA-to-directory and in directory-to-users communication. 
The CA-to-directory costs are much lower than the corresponding CRS costs 
but, the directory-to-user (and thus the over all) communication costs are 
increased. Note that in practice, due to communication overheads, the 

10 difference between CRS and the proposed method in Directory -tous ers 
communication may be insignificant 

The proposed scheme is more robust to changes in parameters than 
CRL and CRS, Since these are bound to change in time or due to the specific 
needs of different implementations, it is important to have a system that is 

15 robust to such changes. 

Changes will occur mainly in the total number of certificates (n) and the 
update rate (T). In the proposed method, changes in n are moderated by a factor 
of p. Changes in T are moderated by the feet that the update communication 
costs are not proportional to nT bin to Z Figure 8 shows how the 

20 CA-to-dixectory update communication costs of the three methods depend on 
the update rate (all other parameters are held constant). The update 
communication costs limit CRS to about one update a day (Another factor that 
limits the update rate is the amount of computation needed by a user in order to 
verify that a certificate was not revoked)- The proposed scheme is much more 

25 robust, even allowing once per hour updates. 
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The present invention has been described with a certain degree of 
particularity, but it should be understood that various modifications and 
alterations may be made without departing from the scope or spirit of the 
invention as defined by the foUowiog claims: 
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CLAIMS: 

1- A memory containing an authenticated search tree that serves for 

authenticating membership or non membership of items in a set; the 
5 authenticated search tree, comprising: 

a search tree having nodes and leaves and having associated therewith a 
search scheme; the nodes including dynamic search values and the leaves 
including items of said set; the nodes are associated, each, with a cryptographic 
hash function value that is produced by applying a cryptographic hash function 
10 to at least: (I) the cryptographic hash values of the children nodes and (II) the 
dynamic search value of said node; 

at least the root node of said authenticated search tree is authenticated 
by a digital signature. * 

15 2. A search authenticated tree wherein said cryptographic hash, 

function, being of the universal one way function type, and wherein said 
cryptographic one way function is further applied to a universal one way 
function that is unique to each internal node. 

3. A search authenticated tree of Claim 1, wherein said search tree 
20 being Btree. 

4. A search authenticated tree of Claim 1, wherein said search tree 
being 2-3* tree, 

5. A method for authenticating membership or non membership of 
items in a set; comprising: 

25 (i) providing an authenticated search tree as defined in Claim I; 

(ii) authenticating at least one item of said set by computing the 
authentication path as induced by said at least one item and the root. 

6. A method for updating at least one item of a set in an 
authenticated search tree, comprising: 

30 (i) providing a search authenticated tree as defined in Claim 1 ; 
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(ii) updating said search tree so as to obtain updated nodes; 

(iii) computing an authentication path as induced by said l^dated nodes; and 

(iv) authenticating at least said root modified node by a digital signature. 

7. : A method according to Claim 5, in a CA, directory, user scheme, 
wherein said step (ii), includes: 

. (a) the user providing to a directory a list of at least one item for 
authenticating membership or non membership of said at least one item in a set; 

(b) the directory computing and transmitting to a user the 
authentication path(s) as induced by said at least one item; the directory farther 
transmitting said authenticated root; and 

(c ) the user verifying said items. 

8. A method according to Claim 6, in a CA directory user scheme 
comprising the steps o£ 

.the CA executing: 

(i) updating said search tree so as to obtain updated nodes; 

(ii) computing an authentication path as induced by said updated nodes; and 

(iii) authenticating at least said root modified node by a digital signature; 

(iv) transmitting modified parameters to said directory; 
the directory executing: 

(i) applying said modification parameters, so as to obtain 
authenticated directory root value; 

(ii) verifying that the authenticated CA root value matched the 
authenticated directory value, 

9. A method according to Claim 6, in a CA user scheme 
comprising: 

the CA executing: 

(i) updating said search tree so as to obtain updated nodes; 

(ii) computing an authentication path as induced by said updated nodes; and 

(iii) authenticating at least said root modified node by a digital signature; 
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(v) transmitting induced sub-tree to said user; 
the user executing: 

(iii) intersecting said induced sub-tree with user self path and obtaining user 
authenticated root value; 
5 (iv) verifying that the authenticated CA root value matched the authenticated 
user value. 
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FIG.5A FIG.5B 
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ABSTRACT 

1 Abstract 

A memory containing an authenticated search tree that serves for 
5 authenticating membership or non membership of items in a set The 
authenticated search tree including a search tree having nodes and leaves and 
being associated with a search scheme. The nodes including dynamic search 
values and the leaves including items of the set The nodes are associated, each, 
"with a cryptographic hash function value that is produced by applying a 
10 cryptographic hash function to the cryptographic hash values of the children 
nodes and to the dynamic search value of the node. The root node of the 
authenticated search tree is authenticated by a digital signature. 



